My sympathies for the guy, and I'm not blaming the victim, but there is a basic safety rule that every aspiring hacker needs to understand, right now, right up there with 'fasten your seatbelt' and 'don't feed the bears':
DON'T DISCLOSE SECURITY FLAWS TO UNWILLING OWNERS.
If you stumble across a security flaw in a proprietary system, check whether they have a bug bounty. If so, great. If not, keep your mouth shut and get on with your life. (Unless, of course, you've decided to sell it on the black market; if you're okay with the ethics of that, so be it. But my advice, that needs to become the standard advice to everyone, is to just keep your mouth shut.)
Don't bite the hand that feeds you - and don't feed the mouth that's going to bite you.
So let's suppose I'm a clever computer guy and I enjoy finding out how systems work and don't work, and I uncover lots of security problems.
But I'm also lazy and/or not very good at dealing with large corporations to find the right person to report these things to, even if they have a bug bounty.
Are there any organizations -- uhh, non-criminal organizations -- that will take a security report, find the right person at the company to report it to, see that it is addressed, and maintain my anonymity, so that I can wash my hands of it and go back to what I prefer to do with my time?
I'll add to disclose it anonymously tied to a pseudonym and/or public key. You can give them data and time to fix it with assurances it will be more public after a reasonable period of time. Thanks to anonymity, they're not going to do shit like in the article.
Key is "unwilling". Hackers must also remember some companies willingly pay for this info.
Based on the numbers I've seen doing contract work for a big blue chip in the UK, you could see it as an opportunity to sell penetration testing services. If this one is unwilling, there could be 5 more willing to pay a good sum to have these sorts of flaws identified and fixed.
I get the feeling a lot of pen. testing companies run a standard set of checks for vulnerabilities. The report I saw was simply a bunch of metasploit results. They were charging some many thousands for this. Offering above and beyond could be a good opportunity.
I think the problem here is that the hacker's "responsible disclosure practice" never filtered down to a part of the organization that was in a position to care, understand and respond.
Merely sending a emails and awaiting a response (if that's what happened) is an ineffectual tactic as it depends on a chain of unaccountable people within the org making the right decision about who to forward the email to.
This strikes me as one of the most poorly understood aspects of software/computing.
Breaking into a computer system is like criticizing someone's ideas, not breaking into a house. Since anyone can trivially break into a house, we judge people by their intent, and thus authorities are trained to wonder "why was he doing that at all?" Whereas with computers malice is taken for granted and security has to be by design.
Most people understand that criticism does you a favor. Maybe we should explain that security systems are like public debates, and that successful hackers just happened to say something first.
Part of the problem is the over-reliance on metaphor. They're flawed, and often confuse people. The suggestion of people walking into houses, or sticking their hands through open windows (or even just peering through them), tends to unsettle people. It brings to mind trespassing and countless episodes of Law & Order that start off with rape and murder. So why are we willingly choosing to discuss encryption, networking, and security research/disclosure through analogies that set people on edge from the very beginning? We lose the listener immediately. And probably poison the well, too.
I feel like a better analogy, especially in this case, would be "it's not breaking into the house, it's looking in the window". Non-technical people would generally understand the equivalent of, say, a business leaving a stack of personal files next to a sidewalk window and someone calling up the news to say "this could lead to identity theft!".
How does this analogy make sense? It's totally possible for someone to steal valuable data from a computer system, even personal information. There may not have been any sensitive information in this case, but to suggest that breaking a security system is a "public debate" seems wrong.
Maybe now that he has been sentenced and everything seems settled, he should talk to some lawyers or NGOs and have them sued for negligence. Two years of not giving a damn is unacceptable.
I think it might be more like breaking into a house than you think. The reason is that there's no way to verify your intent. This leaves 'em free to make up one of their choosing.
"Security by design" seems to imply "oh, this is just a game." Nope. If you now require all people to be part of an electronics security arms race, this is a problem.
It may well be that there should be a mechanism for the police to refer such a kid to others in e. security to enculturate him or get him a network to be part of.
Kid should have just sold his hack to the highest bidder and skipped the country. Denounce me as unethical as all you want but his situation would be objectively better if he hadn't cooperated with the authorities.
> Kid should have just sold his hack to the highest bidder
Really? If the thing is used for anything important, just sell the intercepted data on darknet :) And it seems this was passive reception of radio traffic - it'd take them a while to find him.
The whole story just illustrates the danger of doing security research in the open. If he tipped them anonymously, he could simply pass the news to the media after a month and they'd have to shut up and fix their shit.
I once refrained from reporting a web vuln for similar reason - I didn't trust the owner to handle this professionally and, unfortunately, I didn't use tor because I attempted the hack just for fun wanting to see how they are protected from that - turns out, they weren't at all.
This is yet another example of how one who practices "responsible disclosure" eventually changes their beliefs and begins to practice "full, anonymous, public disclosure".
I think the issue is more that he took this knowledge and tried to listen into encrypted stuff
>Officials also conducted a search of his house a month later, in April 2015. Besides seizing his computer and a $25 custom equipment with which Ornig was able to intercept TETRA communications, officers also found a fake police badge, and also accused him of impersonating a police officer.
Slovakian found the encryption protocol only worked for about 30% of the communications. He notified the proper authorities and the did nothing for 2 years so he went public. To be fair he did not go to 15 months of prison, he only got parole. Catch-22 situation kind alike always having a roll of money in your pocket when you are trying to save.
Still, running from the police because they won't fix their insecure communications is ridiculous. Regardless of whether or not you made any money.
It wouldn't seem like any kind of hacking went on if some of the communications were actually un-encrypted (reading plain-text is not the same as decrypting something with a weak-key)? The article makes it sound like something you can check just by grabbing packets via. wire-shark. Some details are missing here...
Correction, he started intercepting the data as well as playing cop. Still that better than running away. If it were the USA, he would have been in jail for sure.
[+] [-] rwallace|9 years ago|reply
DON'T DISCLOSE SECURITY FLAWS TO UNWILLING OWNERS.
If you stumble across a security flaw in a proprietary system, check whether they have a bug bounty. If so, great. If not, keep your mouth shut and get on with your life. (Unless, of course, you've decided to sell it on the black market; if you're okay with the ethics of that, so be it. But my advice, that needs to become the standard advice to everyone, is to just keep your mouth shut.)
Don't bite the hand that feeds you - and don't feed the mouth that's going to bite you.
[+] [-] saalweachter|9 years ago|reply
But I'm also lazy and/or not very good at dealing with large corporations to find the right person to report these things to, even if they have a bug bounty.
Are there any organizations -- uhh, non-criminal organizations -- that will take a security report, find the right person at the company to report it to, see that it is addressed, and maintain my anonymity, so that I can wash my hands of it and go back to what I prefer to do with my time?
[+] [-] nickpsecurity|9 years ago|reply
[+] [-] jwdunne|9 years ago|reply
Based on the numbers I've seen doing contract work for a big blue chip in the UK, you could see it as an opportunity to sell penetration testing services. If this one is unwilling, there could be 5 more willing to pay a good sum to have these sorts of flaws identified and fixed.
I get the feeling a lot of pen. testing companies run a standard set of checks for vulnerabilities. The report I saw was simply a bunch of metasploit results. They were charging some many thousands for this. Offering above and beyond could be a good opportunity.
[+] [-] crispyambulance|9 years ago|reply
Merely sending a emails and awaiting a response (if that's what happened) is an ineffectual tactic as it depends on a chain of unaccountable people within the org making the right decision about who to forward the email to.
[+] [-] _xhok|9 years ago|reply
Breaking into a computer system is like criticizing someone's ideas, not breaking into a house. Since anyone can trivially break into a house, we judge people by their intent, and thus authorities are trained to wonder "why was he doing that at all?" Whereas with computers malice is taken for granted and security has to be by design.
Most people understand that criticism does you a favor. Maybe we should explain that security systems are like public debates, and that successful hackers just happened to say something first.
[+] [-] Bluestrike2|9 years ago|reply
[+] [-] zyxley|9 years ago|reply
[+] [-] eshyong|9 years ago|reply
[+] [-] qb45|9 years ago|reply
[+] [-] ArkyBeagle|9 years ago|reply
"Security by design" seems to imply "oh, this is just a game." Nope. If you now require all people to be part of an electronics security arms race, this is a problem.
It may well be that there should be a mechanism for the police to refer such a kid to others in e. security to enculturate him or get him a network to be part of.
[+] [-] IIAOPSW|9 years ago|reply
Kid should have just sold his hack to the highest bidder and skipped the country. Denounce me as unethical as all you want but his situation would be objectively better if he hadn't cooperated with the authorities.
[+] [-] zzzcpan|9 years ago|reply
[+] [-] qb45|9 years ago|reply
Really? If the thing is used for anything important, just sell the intercepted data on darknet :) And it seems this was passive reception of radio traffic - it'd take them a while to find him.
The whole story just illustrates the danger of doing security research in the open. If he tipped them anonymously, he could simply pass the news to the media after a month and they'd have to shut up and fix their shit.
I once refrained from reporting a web vuln for similar reason - I didn't trust the owner to handle this professionally and, unfortunately, I didn't use tor because I attempted the hack just for fun wanting to see how they are protected from that - turns out, they weren't at all.
[+] [-] eximius|9 years ago|reply
[+] [-] jlgaddis|9 years ago|reply
[+] [-] rtpg|9 years ago|reply
>Officials also conducted a search of his house a month later, in April 2015. Besides seizing his computer and a $25 custom equipment with which Ornig was able to intercept TETRA communications, officers also found a fake police badge, and also accused him of impersonating a police officer.
[+] [-] hackney|9 years ago|reply
Still, running from the police because they won't fix their insecure communications is ridiculous. Regardless of whether or not you made any money.
[+] [-] soneil|9 years ago|reply
(yeah, I know. But they're two entirely different countries)
[+] [-] zyxley|9 years ago|reply
That's not fair at all.
[+] [-] forgotpwtomain|9 years ago|reply
[+] [-] donatj|9 years ago|reply
[+] [-] hackney|9 years ago|reply
[+] [-] icebraining|9 years ago|reply
Is there any evidence of this? Simply owning a fake badge doesn't even prove intent, let alone being actual evidence that it happened.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] tehrei|9 years ago|reply
[deleted]